npm

@logdna-web/styles @0.8.40

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10226

Ecosystem

npm

Summary

Package is published under a scope that impersonates the legitimate @logdna / LogDNA brand and is named 'styles', but its actual purpose is error reporting via Sentry. package.json declares scripts.preinstall = 'npm install @sentry/node && node examples/verify.js'. The preinstall script (examples/verify.js) fetches the installer machine's public IP from Cloudflare's /cdn-cgi/trace endpoint, then deliberately triggers an exception which @sentry/node — initialized with a hardcoded DSN at o4510485815754752.ingest.us.sentry.io (project 4511632708141056) belonging to the package author — captures and uploads, sending the installer's egress IP and event metadata to the author's Sentry project at npm install time without disclosure or opt-out. Separately, src/index.js exports an init() that falls back to the same hardcoded DEFAULT_DSN whenever the caller does not pass options.dsn and SENTRY_DSN is unset, and forces sendDefaultPii:true, so any consumer who calls init() without explicit configuration silently routes their captured errors, user context, and IPs to the author's Sentry project rather than their own. The scope/name mismatch with the advertised 'styles' purpose, combined with install-time IP exfiltration and a silent-relay default in the public API, is consistent with opportunistic targeting of developers searching for LogDNA packages.

Source: amazon-inspector (578fbb4ba04912bad5d72e105ec24a7d02ad2ae610058ba2f866955e13df40e3)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.